I've been playing with this idea for awhile, mostly because of nerg343's great job on pitou. Anyway, what I'm wondering is why couldn't we use a newer generation ASIC with an older emulator? My F, H, and HU all still work perfectly emulating, just no video of course. From what I understand, the stream is encrypted, but IRD does the decryption, so why couldn't the software be modified to take the seed byte, send it to a p4 asic and recieve video on a p2/p3 emulator system?

1. I had a document with pictures where an h-card was made an aux only card. The pad was removed from the card, some wire(s) cut and others moved. The result was an h-card that only worked as an aux card. It of course didn't get booted up the same way the classic pgm aux card did. If I can find this document, I will upload it to the files section. Being that the p4 isn't h@cked and thinking the asic is a seperate die, then this would probably be the best solution at the moment to try and create an aux.

2. The cmd94 is something never implimented on the p2 series card, yet it was written into pitou to be used with the p2. I don't know the stream like some of you, the only reason I'm guessing this worked and my idea wouldn't is because this packet header didn't direct it to a certain series of cards.

Sorry if I missed something obvious that makes this totally impossible, but we're all here to learn right?

From what I understand, the stream is encrypted, but IRD does the decryption

The IRD merely separates the data intended for the card from the rest of the stream and sends it to the card.

Quote:

Originally Posted by zero

so why couldn't the software be modified to take the seed byte, send it to a p4 asic and recieve video on a p2/p3 emulator system?

The P4/P5 would need to be AUX’ed for us to do that. As I am sure you know we have no way of AUXing a P4/P5.

Quote:

Originally Posted by zero

I had a document with pictures where an h-card was made an aux only card. The pad was removed from the card, some wire(s) cut and others moved. The result was an h-card that only worked as an aux card. It of course didn't get booted up the same way the classic pgm aux card did. If I can find this document, I will upload it to the files section. Being that the p4 isn't h@cked and thinking the asic is a seperate die, then this would probably be the best solution at the moment to try and create an aux.

That document had to of been a hoax. The P2 and P3 both had the ASIC on die. AND to the best of my knowledge so does the P4/P5. Even if the ASIC was off die you wouldn’t be able to just cut some wires and enslave the ASIC, at least not with the human hand, an exact-o knife, and a soldering iron. You would need highly specialized lab equipment.

Curious....I'm sure the HU stream was encrypted the same way the p4 is then, how was it able to be decoded? Did they use the same encryption they did on the eeprom or is the only un-encrypted stream we are seeing is what would be going thru the card (or emu) which the card is actually decrypting? If so, I guess my theory would never work unless the stream could be decrypted first.

It is true that some of the oldest H cards did have the asic on a separate die. I have cut away the top on one of these and "tinkered" with it a bit. I was never able to grab ahold of the wires with my homebrew equiptment, but I suspect that it wouldn't have worked as an aux card with the emulator anywase. I think it would have been somewhat useful in attempting to glitch the asic to see what it would spit out. (though I never got that far)

Now back on topic... If dtv decided to give you a head start and handed you a p4 that was setup as an aux card it still would not work with a p3 or p2 emulator. You are overestimating the role the asic plays in the actual process. The asic does not generate the video keys/packet signatures/ect. It likely plays a role in generating them but it doesn't do it on its own. The processor in the card does the majority of the work using the asic to provide outside input into its calculations.

A hypothetical to help you visualize the process. Say I want to send you an encrypted file and I need to make up a password. Now say you and me both have a mutual friend. I'll play the part of dtv and ask our friend (the asic) for two numbers. Lets say I ask him for his date of birth and the date he first kissed a girl. (two answers that theres a good chance only he will know) Now I add them together and divide it by 12. Then I send you two emails, one is the file encrypted with the password I made. In order for you to decrypt the file you need the second email with instructions on how to rebuild the password and you need access to our friend the asic.

What you are missing is that even if you already knew the answers to any question I could ever ask our friend, you still couldn't get the password unless you could understand the emails from me telling you how to generate it. We cannot decrypt a p4 packet and see what it says to do with the data from the asic.

The command structure hasn't changed much over the years. (the same basic ins-es do the same things) but the actual structure of the card is not the same. A p3 wouldn't even understand the packet for a p4. I'm a little rusty on the code, but I think its the fourth byte of the cmd90 that the card uses to determine if it should even bother trying to understand a given packet. Take a look through a hu dissasembly and you'll see it.

Thanks for the information, you really got at the point of what I needed to know.

I liked your e-mail analogy and I think it'll help others understand what is going on too.

I also wasn't hoping for the p2/p3 to understand the newer cards command structure, but instead continue to work as it does now and somehow generate use a software hack to get the seed byte(s) needed and send them to a newer asic to generate the keys to give video.

I completely underestimated the importance of the card itself to get the seed bytes needed to generate the keys. The attitude around the net has always seemed to stress the importance of the ASIC, but after a series of card gets hacked I guess they forget how integrated the 2 are.

So for this (my out there idea) to be possible, you'd have to be able to decode the p4 stream on the fly, know enough about the p4 to process the stream to get your seed byte(s), somehow aux the p4 or make it an asic only card, and then it would generate the correct video authorization keys?

Even if I'm still missing something, it sounds like basically the p4 will have to be hacked to accomplish what I listed above.....and if thats the case, why not just write a p4 emulator?! Well it was an idea, I thru it out there, thanks for the feedback.

The part that seems to get passed over whenever anyone discusses the asic is just exactly what it is. The asic is an Application Specific Integrated Circuit. From my viewpoint I suspect its another processor with its own eeprom/rom/ram and a program to generate seemingly (but not really) random seed values that the main access card processor can then use.

Here's the kicker... I have a strong suspicion that the asic for the Hu and the H before it were comprimised. The reason you never see any real asic related information posted is because the big dealers have an interest in keeping it from us. With a dump of the asic a cardless emulator was a real possibility for both series of cards. A dump of the asic means you can emulate it (probably) and if you can emulate the asic you don't need the plastic anymore. No plastic means no loaders to sell...

The part that seems to get passed over whenever anyone discusses the asic is just exactly what it is. The asic is an Application Specific Integrated Circuit. From my viewpoint I suspect its another processor with its own eeprom/rom/ram and a program to generate seemingly (but not really) random seed values that the main access card processor can then use.

Nope, it is just a bunch of specialized logic set up to perform a few specific cryptographic operations. This makes it much more difficult to trick into improperly divulging information. If the big dealers could emulate the asic they would have been selling p3 battery cards.

HOTD is right..if the ASIC was compromised they would have found a way to profit from it by selling instead AVR;s and/or Atmega board solutions; these tetsing devices as you know have been used by Charlie and Dish testers for years..in fact its a much larger industry then selling 3m support..this year the new rage is BLACKBIRD/SILVER BULLETs and at $300-450 a pop thats big business.

if the ASIC was hacked by the dealers then they most certainly would have found a way top profit from it, but your comment that mentions your "strong suspcision" that is was hacked suggest that one so the bigger emulation guns from the past figured it out and since they have no financial interests in its release probably decided to keep it secret.